W32/Sdbot-DNJ

Category: Viruses and Spyware Protection available since:10 Nov 2008 14:55:48 (GMT)
Type: Win32 worm Last Updated:10 Nov 2008 14:55:48 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Sdbot-DNJ is a worm with IRC backdoor functionality for the Windows platform.

W32/Sdbot-DNJ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Sdbot-DNJ copies itself to <System>\sjehost.exe and creates the following files:

<System>\drivers\npf.sys
<System>\packet.dll
<System>\wpcap.dll

The following registry entries are created to run sjehost.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Java Express
sjehost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Java Express
sjehost.exe

The file npf.sys is registered as a new system driver service named "NPF", with a display name of "Netgroup Packet Filter". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\NPF

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
Java Express
sjehost.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy